Merge "restrict app access to socket ioctls" into mnc-dev
diff --git a/domain.te b/domain.te
index bf3295c..19de0c0 100644
--- a/domain.te
+++ b/domain.te
@@ -93,6 +93,7 @@
allow domain random_device:chr_file rw_file_perms;
allow domain properties_device:file r_file_perms;
allow domain init:key search;
+allow domain vold:key search;
# logd access
write_logd(domain)
@@ -349,6 +350,10 @@
-zygote
-installd
-dex2oat
+ -system_server # TODO: The system server needs to create directories
+ # and link files for split APK installs. This could perhaps be
+ # removed if we made installd responsible for manipulating the
+ # staging directory.
} dalvikcache_data_file:file no_w_file_perms;
# Only system_server should be able to send commands via the zygote socket
diff --git a/file.te b/file.te
index 3ecb143..555b89f 100644
--- a/file.te
+++ b/file.te
@@ -171,6 +171,7 @@
type logdw_socket, file_type, mlstrustedobject;
type mdns_socket, file_type;
type mdnsd_socket, file_type, mlstrustedobject;
+type misc_logd_file, file_type;
type mtpd_socket, file_type;
type netd_socket, file_type;
type property_socket, file_type;
diff --git a/file_contexts b/file_contexts
index bcb4ae0..406f6a8 100644
--- a/file_contexts
+++ b/file_contexts
@@ -82,6 +82,7 @@
/dev/socket(/.*)? u:object_r:socket_device:s0
/dev/socket/adbd u:object_r:adbd_socket:s0
/dev/socket/sap_uim_socket[0-9] u:object_r:sap_uim_socket:s0
+/dev/socket/cryptd u:object_r:vold_socket:s0
/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
/dev/socket/fwmarkd u:object_r:fwmarkd_socket:s0
@@ -239,6 +240,7 @@
/data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0
/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
+/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0
/data/misc/media(/.*)? u:object_r:media_data_file:s0
/data/misc/net(/.*)? u:object_r:net_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
diff --git a/init.te b/init.te
index 9f624ba..34b010c 100644
--- a/init.te
+++ b/init.te
@@ -96,7 +96,7 @@
# init.<board>.rc files often include device-specific types, so
# we just allow all file types except /system files here.
allow init self:capability { chown fowner fsetid };
-allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr };
+allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr ioctl };
allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:dir { write add_name remove_name rmdir relabelfrom };
allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:file { create getattr open read write setattr relabelfrom unlink };
allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
@@ -161,6 +161,10 @@
domain_trans(init, shell_exec, shell)
domain_trans(init, init_exec, ueventd)
domain_trans(init, init_exec, watchdogd)
+# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
+userdebug_or_eng(`
+ domain_auto_trans(init, logcat_exec, logd)
+')
# Support "adb shell stop"
allow init self:capability kill;
@@ -257,11 +261,7 @@
# linux keyring configuration
allow init init:key { write search setattr };
-# Allow init to link temp fs to unencrypted data on userdata
-allow init tmpfs:lnk_file { create read getattr relabelfrom };
-
-# Allow init to manipulate /data/unencrypted
-allow init unencrypted_data_file:{ file lnk_file } create_file_perms;
+# Allow init to create /data/unencrypted
allow init unencrypted_data_file:dir create_dir_perms;
unix_socket_connect(init, vold, vold)
diff --git a/keystore.te b/keystore.te
index 3561fed..83a0e85 100644
--- a/keystore.te
+++ b/keystore.te
@@ -23,7 +23,7 @@
### Protect ourself from others
###
-neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto };
+neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -keystore -init } keystore_data_file:dir *;
diff --git a/logd.te b/logd.te
index 8c28b48..b0d978f 100644
--- a/logd.te
+++ b/logd.te
@@ -10,6 +10,10 @@
allow logd kernel:system syslog_read;
allow logd kmsg_device:chr_file w_file_perms;
allow logd system_data_file:file r_file_perms;
+allow logd misc_logd_file:file create_file_perms;
+allow logd misc_logd_file:dir rw_dir_perms;
+allow logd pstorefs:dir search;
+allow logd pstorefs:file r_file_perms;
r_dir_file(logd, domain)
@@ -17,6 +21,11 @@
control_logd(logd)
+# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
+userdebug_or_eng(`
+ unix_socket_connect(logd, logdr, logd)
+')
+
###
### Neverallow rules
###
diff --git a/shell.te b/shell.te
index c55ce3e..ac55346 100644
--- a/shell.te
+++ b/shell.te
@@ -15,6 +15,9 @@
# logcat -L (directly, or via dumpstate)
allow shell pstorefs:dir search;
allow shell pstorefs:file r_file_perms;
+# logpersistd (nee logcatd) files
+allow shell misc_logd_file:dir r_dir_perms;
+allow shell misc_logd_file:file r_file_perms;
# read files in /data/anr
allow shell anr_data_file:dir r_dir_perms;
diff --git a/system_app.te b/system_app.te
index 3720c3d..c0ac65b 100644
--- a/system_app.te
+++ b/system_app.te
@@ -48,13 +48,7 @@
allow system_app asec_apk_file:file r_file_perms;
allow system_app servicemanager:service_manager list;
-allow system_app mediaserver_service:service_manager find;
-allow system_app nfc_service:service_manager find;
-allow system_app radio_service:service_manager find;
-allow system_app surfaceflinger_service:service_manager find;
-allow system_app system_app_service:service_manager add;
-allow system_app app_api_service:service_manager find;
-allow system_app system_api_service:service_manager find;
+allow system_app service_manager_type:service_manager find;
allow system_app keystore:keystore_key {
get_state
diff --git a/system_server.te b/system_server.te
index 878e5ff..5d1398a 100644
--- a/system_server.te
+++ b/system_server.te
@@ -16,6 +16,25 @@
allow system_server dalvikcache_data_file:file execute;
allow system_server dalvikcache_data_file:dir r_dir_perms;
+# For PackageInstallerSession.
+#
+# All of these rules relate to the installation and compilation of split
+# APKs. Roughly, the process is as follows. The rules below only pertain
+# to step (3) of the process
+#
+# (1) Create a staging directory.
+# (2) Link existing APKs from the split
+#
+# (3) Link existing compiled oat files : This requires "create_dir_perms"
+# to create oat directories (foo/oat and foo/oat/x86), "relabelto" to
+# make sure they have the right label, and "link" to link files.
+#
+# (3) Invoke dex2oat to compile the updated / new split
+# (4) Rename the staging directory back to the final path.
+allow system_server dalvikcache_data_file:file link;
+allow system_server dalvikcache_data_file:dir relabelto;
+allow system_server dalvikcache_data_file:dir create_dir_perms;
+
# /data/resource-cache
allow system_server resourcecache_data_file:file r_file_perms;
allow system_server resourcecache_data_file:dir r_dir_perms;
@@ -311,6 +330,7 @@
# Manage cache files.
allow system_server cache_file:dir { relabelfrom create_dir_perms };
allow system_server cache_file:file { relabelfrom create_file_perms };
+allow system_server cache_file:fifo_file create_file_perms;
# Run system programs, e.g. dexopt.
allow system_server system_file:file x_file_perms;
diff --git a/uncrypt.te b/uncrypt.te
index f701084..752124d 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -14,11 +14,12 @@
r_dir_file(uncrypt, shell_data_file)
')
-# Create tmp file /cache/recovery/command.tmp
# Read /cache/recovery/command
-# Rename /cache/recovery/command.tmp to /cache/recovery/command
+# Read /cache/recovery/uncrypt_file
+# Write to pipe file /cache/recovery/uncrypt_status
allow uncrypt cache_file:dir rw_dir_perms;
allow uncrypt cache_file:file create_file_perms;
+allow uncrypt cache_file:fifo_file w_file_perms;
# Set a property to reboot the device.
set_prop(uncrypt, powerctl_prop)
diff --git a/vold.te b/vold.te
index 1a1913e..9ab00c7 100644
--- a/vold.te
+++ b/vold.te
@@ -140,8 +140,8 @@
# Access metadata block device used for encryption meta-data.
allow vold metadata_block_device:blk_file rw_file_perms;
-# Allow init to manipulate /data/unencrypted
-allow vold unencrypted_data_file:{ file lnk_file } create_file_perms;
+# Allow vold to manipulate /data/unencrypted
+allow vold unencrypted_data_file:{ file } create_file_perms;
allow vold unencrypted_data_file:dir create_dir_perms;
# Write to /proc/sys/vm/drop_caches
@@ -151,7 +151,11 @@
allow vold vold_data_file:dir create_dir_perms;
allow vold vold_data_file:file create_file_perms;
-neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto };
+# linux keyring configuration
+allow vold init:key { write search setattr };
+allow vold vold:key { write search setattr };
+
+neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -vold -init } vold_data_file:dir *;
neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *;